0

I already realize that configure Redhat 5.5 as PDC (Primary Domain Controller), and the clients (Windows XP and Windows 2003) can join the realm. The realm name of Linux server is EXAMPLE.COM.

Currently, when the time client (e.g., Windows 2003) join EXAMPLE.COM, from the packet captured by the Wireshark, we learn that there is only NTLM packet in the dcerpc protocol, there is no kerberos packet. The conclusion is that the client is not executing kerberos authentication. My samba configuration file smb.conf is as follow:

  

[global]
  workgroup = SINF                    #my domain name
  server string = Samba PDC Server        
  netbios name = SAMBA149            #my host name 
  local master = yes  
  preferred master = yes
  domain master = yes
  local master = yes
  wins support = yes
  os level = 100
  domain logons = yes
  logon drive = K:
  logon script = startup.bat
  time server = yes
  admin users = root
  logon path = \\%N\%U\profile
  logon home = \\%N\%U 
  log file = /var/log/samba/log.%m
  max log size = 50  
  security = user
  passdb backend = tdbsam
  
  [netlogon]
  comment = Network Logon Service
  path = /winhome/netlogon
  writable = no
  write list = root
  follow symlinks = yes
  guest ok = yes

  [homes]
  comment = Home Directiories
  browseable = no
  writable = yes
      create mode = 0664
  directory mode = 0775
  
  [project]
  comment = smbuser's project
  path = /home/samba/project
  browseable = yes
  writeable = yes
  write list = @users

Next, I want execution of the kerberos authentication when the client join the PDC, how can I realize it? Any help would be appreciate sincerely! Thank you very much in advance!

laoyang360
  • 3
  • 4
  • The concept of a PDC has been outdated since the release of windows server 2003. You are likely to find more information if you simply call it a domain controller. – Falcon Momot Nov 12 '13 at 04:32
  • Thank you very much for reminding me! As I checked from the internet, from the begining of Microsoft Windows 2000, there is no longer distinguish between the PDC and the BDC, all domain controllers are all in a equivalent position. One domain controller changes will be replicated to other domain controllers. We called it PDC Emulator. – laoyang360 Nov 12 '13 at 06:58

1 Answers1

1

Have a look at his: http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

To be honest, the reason why kerberos is not used is a bit complicated to say the least. Here's a quick checklist from the top of my head:

  1. Are the clients configured to use kerberos? They might fall back to NTLM when kerberos does not succeed.
  2. Do you have kerberos configured on the PDC? If not, samba is not able to use kerberos auth.
  3. Are the clocks in sync between PDC and the clients? Kerberos is a picky about time.
  4. Are you able to successfully get kerberos credentials by using kinit? If not, you haven't configured kerberos at all.
John Wilcox
  • 73
  • 6
  • Thank you for your advice. Relay on your advie, I check my configure: – laoyang360 Nov 12 '13 at 13:29
  • I have reconfigured my samba and kerberos refer to the document from you. Now, The windows client(window2003) can execute the kerberos authentication when it joined the samba PDC. But, It occurs the “STATUS_ACCESS_DENIED”packet through captured packet by wireshare. I have not find where the problem ? @John Wilcox – laoyang360 Nov 12 '13 at 13:48
  • I have successfully configured, the client (windows2003) can join Samba domain of redhat5.5.Next, I want to do is how to get the keys and tickets from kerberos authentication in the samba source code. There are still many issues to address Thank you very much! @John Wilcox – laoyang360 Nov 13 '13 at 11:02